Unified Threat Management,Managed Security, and the CloudServices Model

Kurtis E. Minder CISSPGlobal Account Manager - Service Provider GroupFortinet, Inc.

IntroductionKurtis E. Minder, Technical Sales Professional

Companies: Roles:•Security Design Engineer

•Systems Engineer

•Sales Engineer

•Salesperson

•Business Development

•Global Account Manager

Actual work:•Installation / Configuration

•Design

•Support

•Product development / POC

•Audit

•Penetration testing

•Sales / BD

Agenda

• Security Overview / Appliance Primer• Unified Threat Management• Managed Security Services• Cloud Security• Questions

Security Overview / Appliance Primer

Firewalls

The Firewall was adopted to protect corporate networks from would-beInternet attackers.

• Firewalls, deployed in-line, typically use a set of network layer rules todetermine what traffic can enter/leave the network.

• Improvements to Firewall technology have been largely limited toperformance. As bandwidth increased, Firewalls had to process faster.

(Some FW companies have increased app visibility)

• New technologies are increasing FW capability to inspect traffic faster andmore intelligently

Anti-VirusAnti-Virus provides software / desktop level risk management for

workstations in the enterprise.

• Uses malicious code signature database to determine whether workstationwas being attacked/compromised.

• Enterprise solutions evolved to provide central management and enhancedcapability for workstation control. (McAfee Enterprise Policy Orchestrator.)

• As larger AV vendors acquire new technologies, feature set improves (DLP,Encryption, Config Management)

VPNVPN (Virtual Private Networking) was adopted to provide

secure remote access to corporate networks.

• Provides remote access via IPSEC or SSL to the corporate network

• Enhanced features can include workstation integrity checks androle based access control

• Also is often used to provide connectivity between networks forbusiness to business transactions.

Intrusion Detection / Prevention

IDS was developed to detect attacks on the network and alertthe security administrator

• IPS, typically inline, added the capability to stop the attackautomatically or manually

• IDS/IPS originally relied entirely on signatures, but evolved toinclude clever behavioral, heuristic-based algorithms to detect

threats

Content FilteringContent Filtering/Web Filtering emerged to increase worker

productivity and reduce workplace risk.

• Monitors web surfing and other application use leaving thecorporate network. Manages which websites each department can

use/see.

• Leverages policy to reduce risk of malicious injection of code intothe network/users browser.

• Some systems provide value added functions such as webacceleration / caching.

Data Loss PreventionData Loss Prevention (DLP) technology was developed as a

direct result of lost corporate information from inside thenetwork.

• DLP Technology uses a multi-faceted approach to solving the DataLeak problem, including network bases sensors, workstation

software, and complex policy management

• The technology is largely developed to keep corporate intellectualproperty and finance data from being distributed.

• Also used to maintain compliance initiatives around SOX, HIPAA;showing due diligence toward securing patient / customer data

Threat Evolution

Multi and Blended attacks arenow a common practice.

Email is the most commondelivery mechanism.

• The motive and intent ischanging Moving from notoriety to

financial gain. Theft of financial and personal

information.• Traditional security isn't

enough

• Malicious code exposing confidentialdata has increased significantly

The Traditional Approach to NetworkSecurity

Impact• High integration effort with multiple products

and vendors• Weak security due to lack of integration and

unified configuration• Operationally expensive to manage and

operate• Impractical and too expensive

First you buy routers, firewalls, VPNs, server load balancers…

Then you buy proxies, webfiltering, instant messagingsecurity, data loss prevention,tomorrow’s security product, andon and on.

Then you buy networkintrusion prevention, anti-virus, anti-malware, anti-spyware, anti-spam, anti-etc…

A New Security Architecture Is Required• Antispam

Reduce unwanted email

• Web filters Eliminated unproductive web-browsing

• VPN Delivering secure remote access

• Firewall Defend against intrusions

• Antivirus Protect email and web applications

from virus infection

• IPS Protect against malicious attacks

VPNVPN

IPSIPS

UsersUsers

ServersServersFirewallFirewall

AntivirusAntivirus

AntispamAntispam

URL FiltersURL Filters

• Real Disadvantages Requires multiple products that don’t

talk to each other Increases network complexity and

operational cost Non optimal security implementation

Multiple Point Solutions Add Complexity• Perceived Advantages

Comprehensive securityapproach

Quickly react to individualthreats

VPNVPN

IPSIPS

UsersUsers

ServersServersFirewallFirewall

AntivirusAntivirus

AntispamAntispam

URL FiltersURL Filters

Unified Threat Management

Security Market Evolution

Virtual private network(IPSec and SSL)

Firewall + VPN

Firewall

Secure ContentManagement

Antivirus

Antispyware

Web filtering

Messaging security

Intrusion Detection &Prevention

Intrusion detection system

Intrusion prevention system

Unified Threat ManagementFirewall Antivirus IPS Antispam Content Filtering VPN

UTM - Best treatment for Appliancitis

• Single hardware platform• Unified management interface• One vendor contract / contact• Single licensing agreement (..sometimes)• Reduced data center footprint• Power consumption reduction• Minimized point of failure/latency• Simplified network security architecture

Speeds and simplifies support and problem resolution Allows for more accurate policy development Quickly correlates events between components

• Blended threat protection!

From:

To:

UTM Box

(Small enterprise)

UTM Box for MSS and Clouds…

Managed Security Services

What is/are MSS?

Wikipedia defines Managed Security Services as simply…

“…network security services that have been outsourced. Acompany providing such a service is a ManagedSecurity Service Provider (MSSP)”

Typical reasons for engaging an MSSP to manage your IT Security…

•Improve IT Security and Compliance•Reduce Security Capex and Opex expenditures•Focus on core business intitiatives and competances

MSS Value Added Services

Services that MSSPs typically offer:

• Vulnerability Assessments• Penetration Tests• FW Management• IDS Management• VPN Management• Event Mitigation Services• Data Archival

Managed U

TM

Traditional MSS - Customer PremiseEquipment (CPE)

Facilitates Logical and Physical Segmentation Facilitates the addition of non security services such as Dial Back Up, WiFi LAN, Dual / Redundant WAN, 3G connectivity options and rate shaping / QoS NOC/SOC

IPSFirewallAVContent Filtering

Internet

MSS benefits / concerns

• Reduced CAPEX• Economies of Scale around security

services• Top security analysts reviewing log

material• Enhanced correlation and automated

security intelligence available• All updates and patches done!

• Who sees my data?• Compliance responsibilities?• I want access to my FW/Logs!• Will people lose their jobs?

Cloud Security Services

What is Cloud Security

Cloud security is essentially the concept of deliveringsecurity services without CPE. This means thatthe services are typically provisioned at the otherend of the transport medium. End Users

X/DSL / T 1

Internet

Provider Edge

Legend

Clear / Clean Traffic

Potentially “Bad” Traffic

Security Scanning

UTM in the CloudMany carriers and cloud services companies are offeringManaged Security in the Cloud via Unified Threat Management platforms. Why?

•Rapid Portfolio Creation•Seamless Provisioning•Increased Operational Efficiencies•Single Vendor Contract•Simple Licensing•Easy correlation and alerting•VIRTUALIZATION!

Value Added Services Delivery Model

Customer Wins!

Delivering “Clean Pipe” with UTM

Virtualization

Providing virtual UTM services from a single platformto multiple customers and applications.

Cloud Computing Security

These companies want to deliver your:•Applications•Desktops•Storage•High Powered Computing (HPC) Services

…from the internet to your office.And well they should…but how do we secure it?

VirtualMachine

VirtualMachineVirtualMachine

VirtualMachine

VDOM

VDOM

VDOM

VDOM

DB ProvisioningManagerManager

Analyzer

Policy and Event Information Shared

Virtualized

Virtualized

Virtualized

Virtualized

Cloud Computing Security Architecture Example

Cloud benefits / concerns

• Reduced OPEX/CAPEX• 0 point of failure• Disaster recovery / business

continuity outsourced!• Infinitely and instantly scalable

Supports “burst” Scales down for economy

• Who sees my data?• Compliance responsibilities?• Internet reliable?

About Fortinet

Company Overview• Leading provider of ASIC-accelerated Unified Threat Management

(UTM) Security Solutions• Company Stats

Founded in 2000 Silicon Valley based with offices worldwide Seasoned executive management team 1,000+ employees / 500+ engineers 300,000+ FortiGate devices shipped worldwide

• Strong, validated technologies and products 11 patents; 80+ pending Six ICSA certifications (first and only security vendor) Government Certifications (FIPS-2, Common Criteria EAL4+) Virus Bulletin 100 approved (2005, 2006, 2008)

Security Research & Development

Integrated Network Security Appliance

Application Aware,Identity Based Firewall

Routing, Traffic Shaping,Quality of Service,

Server Load Balancing

Network Anti-VirusAnti-MalwareAnti-Spyware

NetworkIntrusion

Prevention

Web URL & ContentFiltering

NetworkApplication

Control & Recording

IPSec VPN &SSL VPN Termination

•Streaming security updates for appliances•Worldwide deployment infrastructure•All original security research & development•Updates for application intelligence, web filtering,intrusion prevention, anti-virus, anti-malware, anti-spyware, vulnerability assessment & database security

•Anti-spam, anti-malware•Server, gateway & transparent•Quarantine, user self service•Archiving, logging & reporting

EmailSecurity Appliance

•Database vulnerability assessment•Security monitoring & auditing•Monitor all access, users, methods•Compliance reporting

DatabaseSecurity Appliance

NetworkData LossPrevention

The Integrated Security Platform

•XML router & accelerator•XML firewall & intrusion prevention•XML denial of service protection•SQL injection & malware protection

Web ApplicationFirewall Appliance

Worldwide Update Service

VulnerabilityManagement Appliance•Auditing•Patch Management•Reporting and Compliance•Smart Automation

Q&A

Thank You.

Kurtis E. Minder CISSPKminder@fortinet.com - kurtis@kurtisminder.com847-563-4272 - kurtisminder (skype)http://www.fortinet.comhttp://www.linkedin.com/in/kurtisminderhttp://www.kurtisminder.com